Double free when calling `sys_info::disk_info` from multiple threads

Affected versions of sys-info use a static, global, list to store temporary disk information while running. The function that cleans up this list, DFCleanup, assumes a single threaded environment and will try to free the same memory twice in a multithreaded environment. This results in consistent...

Use after free in ArcIntern::drop

ArcIntern::drop has a race condition where it can release memory which is about to get another user. The new user will get a reference to freed memory. This was fixed by serializing access to an interned object while it is being deallocated. Versions prior to 0.3.12 used stronger locking which...

`LocalRequest::clone` creates multiple mutable references to the same object

The affected version of rocket contains a Clone trait implementation of LocalRequest that reuses the pointer to inner Request object. This causes data race in rare combinations of APIs if the original and the cloned objects are modified at the same time...

crate has been renamed to `block-cipher`

This crate has been renamed from block-cipher-trait to block-cipher. The new repository location is at:...

tokio-rustls reads may cause excessive memory usage

tokio-rustls does not call processnewpackets immediately after read, so the expected termination condition wantsread always returns true. As long as new incoming data arrives faster than it is processed and the reader does not return pending, data will be buffered. This may cause DoS...

rio allows a use-after-free buffer access when a future is leaked

When a rio::Completion is leaked, its drop code will not run. The drop code is responsible for waiting until the kernel completes the I/O operation into, or out of, the buffer borrowed by rio::Completion. Leaking the struct will allow one to access and/or drop the buffer, which can lead to a...

`array!` macro is unsound in presence of traits that implement methods it calls internally

Affected versions of this crate called some methods using auto-ref. The affected code looked like this. rust let mut arr = $crate::core::mem::MaybeUninit::uninit; let mut vec = $crate::ArrayVec::::newarr.asmutptr as mut T; In this case, the problem is that asmutptr is a method of &mut MaybeUninit...

bigint is unmaintained, use uint instead

The bigint crate is not maintained any more and contains several known bugs including a soundness bug; use uint instead...

stdweb is unmaintained

The author of the stdweb crate is unresponsive. Maintained alternatives: - wasm-bindgen - js-sys - web-sys...

futures_task::noop_waker_ref can segfault due to dereferencing a NULL pointer

Affected versions of the crate used a UnsafeCell in thread-local storage to return a noop waker reference, assuming that the reference would never be returned from another thread. This resulted in a segmentation fault crash if Waker::wakebyref was called on a waker returned from another thread du...

failure is officially deprecated/unmaintained

The failure crate is officially end-of-life: it has been marked as deprecated by the former maintainer, who has announced that there will be no updates or maintenance work on it going forward. The following are some suggested actively developed alternatives to switch to: - anyhow - eyre - fehler ...

`net2` crate has been deprecated; use `socket2` instead

The net2 crate has been deprecated and users are encouraged to considered socket2 instead...

Crash causing Denial of Service attack

Server or client applications that call the SSLcheckchain function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signaturealgorithmscert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm i...

fake-static allows converting any reference into a `'static` reference

fake-static allows converting a reference with any lifetime into a reference with 'static lifetime without the unsafe keyword. Internally, this crate does not use unsafe code, it instead exploits a soundness bug in rustc: https://github.com/rust-lang/rust/issues/25860...

Relies on undefined behavior of `char::from_u32_unchecked`

The Windows implementation of this crate relied on the behavior of std::char::fromu32unchecked when its safety clause is violated. Even though this worked with Rust versions up to 1.42 at least, that behavior could change with any new Rust version, possibly leading a security issue. The flaw was...

Library exclusively intended to obfuscate code.

This crate allows you to write safe functions with unsafe bodies without the unsafe keyword. The value this adds is questionable, and hides unsafe usages from naive analysis...

Various memory safety issues

Several memory safety issues have been uncovered in an audit of rusqlite. See https://github.com/rusqlite/rusqlite/releases/tag/0.23.0 for a complete list...

`stb_truetype` crate has been deprecated; use `ttf-parser` instead

This crate was maintained for use in rusttype which has switched to use ttf-parser...

`read_scalar` and `read_scalar_at` allow transmuting values without `unsafe` blocks

The readscalar and readscalarat functions are unsound because they allow transmuting values without unsafe blocks. The following example shows how to create a dangling reference: fn main deriveCopy, Clone, PartialEq, Debug struct S&'static str; impl flatbuffers::EndianScalar for S fn...

arr! macro erases lifetimes

Affected versions of this crate allowed unsoundly extending lifetimes using arr! macro. This may result in a variety of memory corruption scenarios, most likely use-after-free...

use-after or double free of allocated memory

Conversion of BitVec to BitBox did not account for allocation movement. The flaw was corrected by using the address after resizing, rather than the original base address...

Flaw in `realloc` allows reading unknown memory

When reallocing, if we allocate new space, we need to copy the old allocation's bytes into the new space. There are oldsize number of bytes in the old allocation, but we were accidentally copying newsize number of bytes, which could lead to copying bytes into the realloc'd space from past the chu...

Flaw in hyper allows request smuggling by sending a body in GET requests

Vulnerable versions of hyper allow GET requests to have bodies, even if there is no Transfer-Encoding or Content-Length header. As per the HTTP 1.1 specification, such requests do not have bodies, so the body will be interpreted as a separate HTTP request. This allows an attacker who can control...

CBox API allows to de-reference raw pointers without `unsafe` code

CBox and CSemiBox are part of the public API of the cbox crate and they allow to create smart pointers from raw pointers and de-reference them without the need of unsafe code...

tiberius is unmaintained

The author of tiberius has archived the GitHub repository and left the following note: I do not have the time to overhaul the library and do not intend to further maintain the 0.3 version relying on the old futures ecosystem. Suggested alternatives are: - odbc - sqlx forthcoming...

rulinalg is unmaintained, use nalgebra instead

The rulinalg crate is no longer maintained, use nalgebra instead...

Lifetime boundary for `raw_slice` and `raw_slice_mut` are incorrect

The affected version of rulinalg has incorrect lifetime boundary definitions for RowMut::rawslice and RowMut::rawslicemut. They do not conform with Rust's borrowing rule and allows the user to create multiple mutable references to the same location. This may result in unexpected calculation resul...

slice-deque is unmaintained

The author of the slice-deque crate is unresponsive and is not receiving security patches. Maintained alternatives: - slice-ring-buffer...

lzw is unmaintained

The author of the lzw crate is unresponsive. Maintained alternatives: - weezl...

multi_mut is Unmaintained

Last release was about 6 years ago. There is an outstanding soundness issue. The maintainer has not responded for two years to the existing soundness issue. Rust compiler has enabled errors relating to LLVM noalias rules and may not compile anymore where as the old compiler versions had turned...

`tokio-proto` is deprecated/unmaintained

The tokio-proto crate has been deprecated, and its GitHub repository has been archived. Users may be interested in tokio-tower instead, per https://github.com/tokio-rs/tokio/issues/118issuecomment-452969665...

Use-after-free in Framed due to lack of pinning

Affected versions of this crate did not require the buffer wrapped in Framed to be pinned, but treated it as if it had a fixed location in memory. This may result in a use-after-free. The flaw was corrected by making the affected functions accept Pin instead of &mut self...

Contents of uninitialized memory exposed in DeflateOutput's AsyncRead implementation

Affected versions of this crate passes an uninitialized buffer to a user-provided trait function AsyncRead::pollread. Arbitrary AsyncRead::pollread implementations can read from the uninitialized buffer memory exposure and also can return incorrect number of bytes written to the buffer. Reading...

Improper `Sync` implementation on `FuturesUnordered` in futures-utils can cause data corruption

Affected versions of the crate had an unsound Sync implementation on the FuturesUnordered structure, which used a Cell for interior mutability without any code to handle synchronized access to the underlying task list's length and head safely. This could of lead to data corruption since two threa...

sigstack allocation bug can cause memory corruption or leak

An embedding using affected versions of lucet-runtime configured to use non-default Wasm globals sizes of more than 4KiB, or compiled in debug mode without optimizations, could leak data from the signal handler stack to guest programs. This can potentially cause data from the embedding host to le...

Use-after-free in BodyStream due to lack of pinning

Affected versions of this crate did not require the buffer wrapped in BodyStream to be pinned, but treated it as if it had a fixed location in memory. This may result in a use-after-free. The flaw was corrected by making the trait MessageBody require Unpin and making pollnext function accept Pin...

Observable Discrepancy in libsecp256k1-rs

A timing vulnerability in the Scalar::checkoverflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack...

Threshold value is ignored (all shares are n=3)

Affected versions of this crate did not properly calculate secret shares requirements. This reduces the security of the algorithm by restricting the crate to always using a threshold value of three, rather than a configurable limit. The flaw was corrected by correctly configuring the threshold...

rust_sodium is unmaintained; switch to a modern alternative

The rustsodium crate is no longer maintained by its current owner, who advise in the repository readme that they are looking for someone else to take ownership of it. We recommend you switch to an alternative crate such as: - sodiumoxide...

Parsing a specially crafted message can result in a stack overflow

Affected versions of this crate contained a bug in which decoding untrusted input could overflow the stack. On architectures with stack probes like x86, this can be used for denial of service attacks, while on architectures without stack probes like ARM overflowing the stack is unsound and can...

bespoke Cell implementation allows obtaining several mutable references to the same data

The custom implementation of a Cell primitive in the affected versions of this crate does not keep track of mutable references to the underlying data. This allows obtaining several mutable references to the same object which may result in arbitrary memory corruption, most likely use-after-free. T...

bespoke Cell implementation allows obtaining several mutable references to the same data

The custom implementation of a Cell primitive in the affected versions of this crate does not keep track of mutable references to the underlying data. This allows obtaining several mutable references to the same object which may result in arbitrary memory corruption, most likely use-after-free. T...

Stack overflow when resolving additional records from MX or SRV null targets

There's a stack overflow leading to a crash and potential DOS when processing additional records for return of MX or SRV record types from the server. This is only possible when a zone is configured with a null target for MX or SRV records, i.e. '.'. Example effected zone record: text no-service...

crust repo has been archived; use libp2p instead

The crust crate repo was archived with no warning or explanation. Given that it was archived with no warning or successor, there's not an official replacement but rust-libp2p looks like it's got a similar feature set and is actively maintained...

spin is no longer actively maintained

The author of the spin crate does not have time or interest to maintain it. Consider the following alternatives all of which support nostd: - conquer-once - lockapi a subproject of parkinglot - spinningtop spinlock crate built on lockapi - spinning...

Integer Overflow in HeaderMap::reserve() can cause Denial of Service

HeaderMap::reserve used usize::nextpoweroftwo to calculate the increased capacity. However, nextpoweroftwo silently overflows to 0 if given a sufficiently large number in release mode. If the map was not empty when the overflow happens, the library will invoke self.grow0 and start infinite probin...

HeaderMap::Drain API is unsound

Affected versions of this crate incorrectly used raw pointer, which introduced unsoundness in its public safe API. Failing to drop the Drain struct causes double-free, and it is possible to violate Rust's alias rule and cause data race with Drain's Iterator implementation. The flaw was corrected ...

Type confusion if __private_get_type_id__ is overridden

Safe Rust code can implement malfunctioning privategettypeid and cause type confusion when downcasting, which is an undefined behavior. Users who derive Fail trait are not affected...

ChaCha20 counter overflow can expose repetitions in the keystream

The ChaCha20 stream cipher can produce a maximum of 2^32 blocks 256GB before the 32-bit counter overflows. Releases of the chacha20 crate prior to v0.2.3 allow generating keystreams larger than this, including seeking past the limit. When this occurs, the keystream is duplicated, with failure mod...

Unsound `impl Follow for bool`

The implementation of impl Follow for bool allows to reinterpret arbitrary bytes as a bool. In Rust bool has stringent requirements for its in-memory representation. Use of this function allows to violate these requirements and invoke undefined behaviour in safe code...